CVE-2026-25925
Published: 09 February 2026
Summary
CVE-2026-25925 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Modery Powerdocu. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely application of the vendor patch (v2.4.0) that fixes the unsafe JSON deserialization.
Requires validation of untrusted JSON inputs to block malicious $type properties that enable arbitrary .NET object instantiation and code execution.
Malicious code protection mechanisms scan and eradicate payloads in crafted JSON files or resulting code execution attempts from deserialization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The deserialization flaw (CWE-502) in the PowerDocu Windows GUI client directly enables adversaries to supply malicious $type directives in JSON input, resulting in arbitrary .NET object instantiation and code execution when the user opens the file; this matches Exploitation for Client Execution exactly.
NVD Description
PowerDocu contains a Windows GUI executable to perform technical documentations. Prior to 2.4.0, PowerDocu contains a critical security vulnerability in how it parses JSON files within Flow or App packages. The application blindly trusts the $type property in JSON files,…
more
allowing an attacker to instantiate arbitrary .NET objects and execute code. This vulnerability is fixed in 2.4.0.
Deeper analysisAI
PowerDocu, a Windows GUI executable for performing technical documentations, contains a critical vulnerability (CVE-2026-25925, CWE-502: Deserialization of Untrusted Data) in versions prior to 2.4.0. The flaw arises during parsing of JSON files within Flow or App packages, where the application blindly trusts the $type property. This allows attackers to specify arbitrary .NET object types, leading to instantiation of malicious objects and remote code execution. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A local attacker can exploit this vulnerability by crafting a malicious JSON file or package with a manipulated $type property and tricking a user into opening it via the PowerDocu GUI. No privileges are required (PR:N), but user interaction is necessary (UI:R), such as double-clicking the file. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, enabling arbitrary code execution in the context of the user running PowerDocu.
The vulnerability is fixed in PowerDocu version 2.4.0. Security practitioners should advise users to update to this version immediately. Relevant advisories and patches are detailed in the GitHub security advisory (GHSA-m8j2-5jr7-2jpw) and the v2.4.0 release notes (https://github.com/modery/PowerDocu/releases/tag/v-2.4.0).
Details
- CWE(s)